MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d298f01dbeb1a5b4b1c7ce890795bb8d5f59c10bc14b3fc57604575b1a4c4438. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d298f01dbeb1a5b4b1c7ce890795bb8d5f59c10bc14b3fc57604575b1a4c4438
SHA3-384 hash: de82796530bff7cbef8c3a8cfa5d4f38fdf9a514aa9e30946566835376517742e06908db0e3610245f9a3a38e3aa1f8a
SHA1 hash: d985d8d1befd7e71089d6277fad8aa3cb680c314
MD5 hash: bc6e638cd8a108108e31e6c74fb323fc
humanhash: river-muppet-romeo-glucose
File name:MT103-Copy.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:975'360 bytes
First seen:2022-06-09 05:42:14 UTC
Last seen:2022-06-09 06:55:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:4OkLdXuqnQbahBwRMsFDtBNrlkMp5ewIjjnk:xkLdXuu+DtBIMbewYrk
Threatray 4'370 similar samples on MalwareBazaar
TLSH T17725222937ED5366DABE07FE6CAA40419330E212653BFB0E4F8132DA4C5B791592731B
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MT103-Copy.exe
Verdict:
Malicious activity
Analysis date:
2022-06-09 06:16:49 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/e8d52290-e2cf-4f1c-908b-8a806a18e5fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/278026/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.23680.32610.29129.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Moving of the original file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62a188a79bbf30d03f45c06e/reports/96a89afa-d89d-4ba1-a52f-bda44189ec0b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c9a7a9c-1bc3-4342-a92a-fcb2a319e11c
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1009678
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 642172 Sample: MT103-Copy.exe Startdate: 09/06/2022 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 7 other signatures 2->41 7 MT103-Copy.exe 18 2->7         started        process3 file4 23 C:\Users\user\AppData\...\rjYHJgKuog.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmpA053.tmp, XML 7->25 dropped 27 C:\Users\user\AppData\...\MT103-Copy.exe.log, ASCII 7->27 dropped 43 May check the online IP address of the machine 7->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 7->45 47 Adds a directory exclusion to Windows Defender 7->47 49 2 other signatures 7->49 11 MT103-Copy.exe 15 6 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 29 bhungar.com 162.222.226.133, 49765, 49777, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->29 31 checkip.dyndns.com 193.122.6.168, 49761, 80 ORACLE-BMC-31898US United States 11->31 33 2 other IPs or domains 11->33 51 Moves itself to temp directory 11->51 53 Tries to steal Mail credentials (via file / registry access) 11->53 55 Tries to harvest and steal ftp login credentials 11->55 57 Tries to harvest and steal browser information (history, passwords, etc) 11->57 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d298f01dbeb1a5b4b1c7ce890795bb8d5f59c10bc14b3fc57604575b1a4c4438/
Threat name:
ByteCode-MSIL.Trojan.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-06-08 10:30:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2kmpahn6wgs3jmohz2eqpfn3rvpvtqilyfft7rlwarlvwgsmiq4a._file
Verdict:
malicious
Similar samples:
2ff83b92db02e32a0a981b75575dac7b521a343754cdfaf493fbf7f93cb38100
SnakeKeylogger
382184e7571f141ed3e438ed7a88975d09b2305f827ff6b7ac65d0d31a2455c5
SnakeKeylogger
3bb08043abef19a94934ff3cf96328f6c4a72e3261df424971911094c90ced6c
SnakeKeylogger
6b2709906a90b8d70e1f315ecf52eb67c9fecd1a65523aa46b4823786ba701d9
SnakeKeylogger
7b70539f965304695a75a493f50370ce9a9fcebc0a0667aadf11b3a4c540c8e7
SnakeKeylogger
a3e03b14952892c47905fc23fa009c3ba80c9ea3e53516fca5def4e71db51463
SnakeKeylogger
cab9ea99be713d04dfb08a504ae6cb92ceebca932ae5651f106045a86966bba4
SnakeKeylogger
e08a365b67b9efe1951cd8e903a70baa22da309c80d25c44d5b3bb863318e981
SnakeKeylogger
+ 4'360 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220609-gekp5sefen/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops desktop.ini file(s)
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
e22e7f09d743e524d134f4b4bbf5f1eb5308a3edb954a40b8aa5e68c7b8cffd4
MD5 hash:
07e1f7163b7d8b6d80d83d1c819436ef
SHA1 hash:
ed7724c52e18b9810939327b803ca03837915836
Link:
https://www.unpac.me/results/b17ce248-e4da-4e97-8505-b20fdd0f6994/
Parent samples :
1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
c5dd4dced21baff9499dac6505a77527ac91dc0b0f187c20e9b960b46b3636b9
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f
SH256 hash:
6caa30ac5659749cb21ba2b24d50be82e4c7c5cba444d4f05a00d955374cc97d
MD5 hash:
b4ec347d9c2551a0f67a349f6b19f04f
SHA1 hash:
c1869891f96d42f83b829848a3028dd1420a6bfd
Link:
https://www.unpac.me/results/b17ce248-e4da-4e97-8505-b20fdd0f6994/
SH256 hash:
12bef05d1d991f453cf1c15b29499c546d69243f6cb6f96180b72eb28c4aad7b
MD5 hash:
c92f7fa5ae2f8357647809599a20ff74
SHA1 hash:
e25305422e2acdaf5622bbbfe45b2268bd38837b
Link:
https://www.unpac.me/results/b17ce248-e4da-4e97-8505-b20fdd0f6994/
SH256 hash:
a4445591e3bef2d48e6390c48d7e409500e93cc0e2e7a33ac562a0538485cf29
MD5 hash:
6281b641916f028fa709759c6e77a67d
SHA1 hash:
ce1292a37c816940d01a24bff695d91882f63d22
Link:
https://www.unpac.me/results/b17ce248-e4da-4e97-8505-b20fdd0f6994/
SH256 hash:
7d465217b08534623162a9a6e64a65cd3ad3625c644eb8220d9d7332f0671129
MD5 hash:
5b66e75db9c58c3c16cc832ceff64ed3
SHA1 hash:
bcaacdbcfd3d1a6145c33419c380049250ae8df9
Link:
https://www.unpac.me/results/b17ce248-e4da-4e97-8505-b20fdd0f6994/
SH256 hash:
b7801a1e3580e7f439c1fe6dace8c2d89e97597fbbd075ed6a4fbb0b44ee7079
MD5 hash:
f90e835df0e19a8220a26967f6c5e43f
SHA1 hash:
67fe830d59a9ff7ffa9a6942c91e7106d8e6fa93
Link:
https://www.unpac.me/results/b17ce248-e4da-4e97-8505-b20fdd0f6994/
SH256 hash:
d298f01dbeb1a5b4b1c7ce890795bb8d5f59c10bc14b3fc57604575b1a4c4438
MD5 hash:
bc6e638cd8a108108e31e6c74fb323fc
SHA1 hash:
d985d8d1befd7e71089d6277fad8aa3cb680c314
Link:
https://www.unpac.me/results/b17ce248-e4da-4e97-8505-b20fdd0f6994/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d298f01dbeb1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d298f01dbeb1a5b4b1c7ce890795bb8d5f59c10bc14b3fc57604575b1a4c4438

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/278026/

Comments